Traffic Analysis - It Is A Trap!

Hello, in this post, we will do network traffic analysis of an exercise IT’S A TRAP.

DETAILS OF LAN SEGMENT

LAN segment range: 10.6.13[.]0/24 (10.6.13[.]0 through 10.6.13[.]255)
Domain: massfriction[.]com
Active Directory (AD) domain controller: 10.6.13[.]3 - WIN-DQL4WFWJXQ4
AD environment name: MASSFRICTION
LAN segment gateway: 10.6.13[.]1
LAN segment broadcast address: 10.6.13[.]255

We load the PCAP file in Snort to list the alerts it would have triggered,

The alert count is 138. Let’s view the type of alerts,

The port scanning alert seems interesting.

Multiple HTTP URI alerts were also observed. Typically, either to and fro from 10.6.13.133.

After we analyze the DNS entries, we find some entries that might be suspicious.

The Virustotal results confirms we are on the right track.

All these outbound connections were originating from 10.6.13.133 (The Snort log also had the same IP for HTTP URI alerts Ref. fig. 2).

We now analyze HTTP requets from the same IP address,

BINGO!, The very first request made to one of the suspicious entries contains PowerShell as the user agent. We follow the request in HTTP stream,

The response contains a PowerShell script. Let’s view the script,

Most of the lines are dead code. example,

for ($i = 0; $i -lt 5; $i++) { $nextvar = $i }
try { $y = 0 } catch { $error }
if ($errorLevel -gt 7) { Write-Output ‘$result’ }
while ($binpath) { Start-Sleep -Seconds 0 }

We mark all of them similarly to the above pattern,

Figure 19: Dead code in powershell script 1

We removed redundant lines,

Insight (From fig. 20):

The first blob contains base64 encoded strings that are being concatenated later.
The second string contains powershell command to convert from base64.
The third string executes the decoded base64 script.

We use the following recipe to extract base64, concatenate them, and decode them.

Regular_expression('User defined','\\s=\\s"(.*?)"',true,true,false,false,false,false,'List capture groups')
Find_/_Replace({'option':'Extended (\\n, \\t, \\x...)','string':'\\n'},'',true,false,true,false)
From_Base64('A-Za-z0-9+/=',true,false)

We load the recipe in CyberChef,

Figure 21: Decoded base64 of powershell script 1

The decoded base64 contains another PowerShell script. Let’s view it.

After deobfuscation, the script we get,

Figure 23: Deobfuscated powershell script 1.1

The output of the command systeminfo is passed as a POST request to the URL “eventdata-microsoft[.]live/NV4RgNEu”.

We could see an outbound request being made to this uncovered URL.

Figure 24: Outbound request made by powershell script 1.1

We could see the systeminfo output in the TCP stream,

Additionally, we could see another PowerShell script as a response from the server,

Figure 26: Powershell script 2 in stream

let’s view this script

This PowerShell script seems extremely obfuscated, spanning over 13K lines of code. Deobfuscating this lengthy script is near impossible until…

We use bankai!

We mark the redundant lines as similar to the previous one.

Figure 28: Dead code in powershell script 2

Removing them, we are left with.

We could observe same pattern of script containing base64 blobs being concatenated and invoked. We use the same CyberChef recipe as earlier.

Figure 30: Decoded base64 of powershell script 2

We could observe another obfuscated PowerShell script as output,

When deobfuscated, we get a readable PowerShell script as,

Figure 32: Deobfuscated powershell script 2.1 part1

Insight (From fig. 32):

The php binaries for Windows are being downloaded from the URL in %temp% locations as php.zip.
Then the downloaded zip is extracted to ApplicationData\php directory.
After extraction, the file is deleted from the %temp% location.
The config and php binary absolute paths are set to,
- $mv = ApplicationData\php\config.cfg
- $YupgDUknfb = ApplicationData\php\php.exe
We could see another base64 encoded string stored in a variable, $X9.

Figure 33: Decoded base64 of powershell script 2.1

The decoded base64 contains obfuscated php script.

Figure 34: Deobfuscated powershell script 2.1 part2

Insight (From fig. 34):

The first section decodes the base64 data (containing php script) and writes to a file ApplicationData\php\config.cfg pointed by the variable $mv .
The second section executes the obfuscated PHP script using the official PHP binary downloaded earlier and extracted in ApplicationData\php folder. The output of the executed php file is written in two files, pointed by $UZ3eaxi6FRJQ0yaCX and $GhzCP .
The content of those is stored in $lMeQbHXUc and $2oRVdufAtTxwFJB .
After the content is stored, the created files are deleted.
The third section sends the data as a POST request to the URL “comprehensive-cabin-spend-organic[.]trycloudflare[.]com/NV4RgNEu” after concatenation via a delimiter “-=-=-=-=-=-“.

We can get the MAC address and hostname using DHCP protocol.